New router, not sure what I need/what to get.

Armadillo · 27 May 2019 at 18:45

I'm on Sky, they let you change the modem/router now without hassle, I want a few more options than the typical router supplied by isps get you + the sky hub is a bit pants, so want to change.

I want all the standard stuff (4 gigabit ethernet, wifi etc), but I'd also like to run a vpn on the router itself, but not route everything through it, just some of the ethernet ports. Also I want to have two wifi access points set up, one routed through the vpn, one not. I have some older devices that either don't support the vpn client or if they do, it slows them down and the battery drain is higher, so I'd like them connected and routed through it. I don't want everything through it, as if the device is fine with the client side software, I prefer that due to ease of switching servers or turning off if need be.

Sync speed is the full 79999, so would be nice if the router could handle that over the vpn, but as long as it's a decent enough speed it's fine.

Have a hg612, happy to use that, router just needs to support skys weird authentication.

Not sure where to start looking or if the setup im looking for is asking too much from off the shelf typical hardware.

Thanks.

Avalon · 2 Jun 2019 at 10:50

I ran an HG612 with a pfsense build doing as you describe at near line speed (80/20), you could also virtualise it if you have a suitable host (minor inconvenience of reboots on host taking down LAN/WAN), the other option that may fit your needs is docker, if you have a suitable host running already (UnRAID or similar NAS distro for example) then one of the binhex containers running Privoxy is ideal, just point the local clients to it via IP

ort as a proxy and it’ll do all the heavy lifting.

WJA96 · 3 Jun 2019 at 04:15

The only ‘off-the-shelf’ consumer/prosumer routers that might be able to handle that sort of complex load that I’ve seen would be Mikrotik. And even then the cheaper ones would struggle with the throughput.

You can definitely specify VPN down to one or more interfaces (physical RJ45 ports) and that could let you have the access points VPN dedicated but also you could just separate the VPN traffic onto a particular WLAN SSID unless I’ve missed something in how you want your network set up? Most decent access point solutions allow more than one SSiD.

Have a look at the Mikrotik RB 4011 series.

https://mikrotik.com/product/rb4011igs_rm Is just the router

https://mikrotik.com/product/rb4011igs_5hacq2hnd_in is the same device with AC WiFi.

If you use their own AC access points then you can also use their cAPsMAN software to run it all.

If you REALLY want to guarantee to hit the VPN at full line speed, the RB 1100 series will definitely be able to do it.

https://mikrotik.com/product/rb1100ahx4

Steveocee · 3 Jun 2019 at 07:40

Totally agree with @WJA96 that a MikroTik may help. I believe a Hex R3 would do what you are asking with regards to gigabit ports and VPN (as it has hardware offload), it's also cheap at around £40.
You'd need a separate WiFi access point though which would take the price up but you could at least mix and match a UniFi AP in with that to get the best of both worlds. I wouldn't advocate a MikroTik AP to anyone where UBNT is an option.

MER may not be that much of an issue as SKY have been slowly pushing towards PPPoA with more recent connections (link) but I can't say I've seen it implemented so worth double checking.

WJA96 · 3 Jun 2019 at 07:57

Steveocee said:
I wouldn't advocate a MikroTik AP to anyone where UBNT is an option.

Have you had a poor experience? I've only used one once and it seemed to work fine.

Apologies to the OP if this is taking the thread off topic.

Steveocee · 3 Jun 2019 at 13:02

WJA96 said:
Have you had a poor experience? I've only used one once and it seemed to work fine.

I wouldn't say a poor experience by any means, the MikroTik stuff usually works but with the recent AC stuff there are a lot of people on the MT forum who suffer from poor throughput and a lot compare to the UBNT range where UniFi stuff comes out on top. I like the idea of a RouterOS based wireless AP but for the "go to" units such as the WAP and CAP AC's there seem to be a lot of niggles.

MT for routing & switching.
UBNT for Wireless.
^A solid mantra that will give you trouble free installations for years.

Armadillo · 28 Jul 2019 at 18:32

WJA96 said:
You can definitely specify VPN down to one or more interfaces (physical RJ45 ports) and that could let you have the access points VPN dedicated but also you could just separate the VPN traffic onto a particular WLAN SSID unless I’ve missed something in how you want your network set up? Most decent access point solutions allow more than one SSiD.

Nah, you are spot on. That's what I want, only really use isp supplied gear which generally don't support multiple ssid, so didn't know you could do it.

I think I want to go with a seperate access point, my master socket is in the corner at the front of the house, so wifi is not great. So I think seperates are better, then I can have an ap in the hallway in a much nicer position. So if I have a seperate point connected by ethernet to it, it's still capable of routing only some through the vpn based on seperate ssid, even though it's a seperate access point connected via ethernet or would I need two, so I can specific the ethernet port.

Steveocee said:
Totally agree with @WJA96 that a MikroTik may help. I believe a Hex R3 would do what you are asking with regards to gigabit ports and VPN (as it has hardware offload), it's also cheap at around £40.
You'd need a separate WiFi access point though which would take the price up but you could at least mix and match a UniFi AP in with that to get the best of both worlds. I wouldn't advocate a MikroTik AP to anyone where UBNT is an option.

MER may not be that much of an issue as SKY have been slowly pushing towards PPPoA with more recent connections (link) but I can't say I've seen it implemented so worth double checking.

Yeah, looked into it. Hex r3 seems to be the budget option and will do what I want. Only have 80/20 and reviews seem like it's more than capable of that over vpn.

Works on Sky, read multiple people saying it's fine. Saw someone saying they couldn't get ipv6 working. Thought ipv6 is ipv6, hex supports it, so maybe a setup issue. Don't really need it anyway, so not a massive issue.

As above, fine with a seperate ap, probably work better based on where router has to sit anyway.

Hex r3 seems to fit what I want for a decent price then. Any reccomendation on a specific ap to go with it? I'm not fussed about mesh or anything like that. Only tablets and phones connected to it, just something with decent range and speed is fine.

Thanks.

Stephanie Peterson · 28 Jul 2019 at 18:59

I split all the required home network functions into pieces instead of using the supplied ISP router setup.
So vigor 130 for the vdsl modem, pfsense on a VM for router, pihole on a separate VM for DNS and keeping crap away, a 10 port poe switch with 2 SFP ports, 2 managed TP link wireless APs, squid proxy on the pfsense VM (might move this to a seperate vm)

Why? Cos i can.

WJA96 · 28 Jul 2019 at 19:33

Armadillo said:
Nah, you are spot on. That's what I want, only really use isp supplied gear which generally don't support multiple ssid, so didn't know you could do it.

I think I want to go with a seperate access point, my master socket is in the corner at the front of the house, so wifi is not great. So I think seperates are better, then I can have an ap in the hallway in a much nicer position. So if I have a seperate point connected by ethernet to it, it's still capable of routing only some through the vpn based on seperate ssid, even though it's a seperate access point connected via ethernet or would I need two, so I can specific the ethernet port.

Yeah, looked into it. Hex r3 seems to be the budget option and will do what I want. Only have 80/20 and reviews seem like it's more than capable of that over vpn.

Works on Sky, read multiple people saying it's fine. Saw someone saying they couldn't get ipv6 working. Thought ipv6 is ipv6, hex supports it, so maybe a setup issue. Don't really need it anyway, so not a massive issue.

As above, fine with a seperate ap, probably work better based on where router has to sit anyway.

Hex r3 seems to fit what I want for a decent price then. Any reccomendation on a specific ap to go with it? I'm not fussed about mesh or anything like that. Only tablets and phones connected to it, just something with decent range and speed is fine.

Thanks.

And... based on that I’m going to suggest some different options again;

Option 1 - Ubiquiti UniFi USG, Ubiquiti UniFi US-8-60W switch and Ubiquiti UniFi AP-AC-LR access point. That gives you ease of use and setup.

Option 2 - Mikrotik hAP-AC and Mikrotik CAP AC. This gives you extreme flexibility and two access points - on the hAP-AC and one on the additional CAP access point.

Option 3 - Netgate pfSense SG-1100 and Ubiquiti UniFi AP-AC-LR. Arguably the strongest security option.

Option 4 - Untangle Z4 UTM appliance and Ubiquiti UniFi AP-AC-LR. Arguably the easiest to configure security option.

I’ve installed all of these options for people and they all work well. I still think in your situation the Mikrotik RB4011IGS+5HACQ2HND-IN is the best overall option in one box.

Ice Tea · 29 Jul 2019 at 06:01

Unless things have changed i've heard people say that Mikrotik software is not exactly user friendly and linux users are expected to install Wine.

WJA96 · 29 Jul 2019 at 08:21

MikroTik supply 3 options to configure their routers. QuickSet is the same sort of interface you’d find on an EdgeRouter or a BT HomeHub.

If you want the ultimate (all options exposed in the GUI) interface then you need ~~WebFig~~ WinBox and that only runs under Windows. So yes, Linux users have to run it under WINE.

If you want, you can configure a Mikrotik device from the command line, but you definitely don’t have to.

Ice Tea · 29 Jul 2019 at 08:35

Thanks WJA96 , i've just had a look at QuickSet and from the screen shots it doesn't look any worse or more difficult than your average router.

Ice Tea · 29 Jul 2019 at 09:24

WJA96 any opinions on the HAP ac2 at £63?

*edit*

I thought it seemed too cheap to be true , lots of complaints on their forum about slow Wi-Fi that supposed to be fixed with a software update but others say it's still the same?

Steveocee · 29 Jul 2019 at 10:41

A lot of the complaints are from people who don't set them up very well. Most tend to whack them into 80Mhz channel width in 5Ghz and expect gigabit throughput.

hAP AC2's are killer pieces of kit and usually get snapped up very quickly.

Ice Tea · 29 Jul 2019 at 11:27

They are complaining about getting slower Wi-Fi speeds than their previous off the shelf routers , dropping from 300mbps to 180mbps for example they where not even trying to get gigabit throughput.

No problems with the switch though from what i've read at their forum.

Yaayuh! · 29 Jul 2019 at 11:40

WJA96 said:
And... based on that I’m going to suggest some different options again;

Option 1 - Ubiquiti UniFi USG, Ubiquiti UniFi US-8-60W switch and Ubiquiti UniFi AP-AC-LR access point. That gives you ease of use and setup.

This is essentially what I have now.

Sky FTTC --> Vigor 130 --> USG --> Ubiquiti UniFi US-8-150W --> 3x UniFi APs and all controlled by the UniFi CloudKey Gen2.

The USG and Vigor setup made me want to murder, but it was about 30c+ in my office at the time, so may have exacerbated things somewhat. USG was not acting as expected and had DHCP issues and failed provisions until I did a factory reset, a manual offline firmware update and started again.
Working great now.

Just note, you will need to set DHCP option 61 on the USG for Sky and create a json file for it on the controller. Don't worry though, if you choose to do this give me a shout @Armadillo .

Steveocee · 29 Jul 2019 at 12:24

Ice Tea said:
They are complaining about getting slower Wi-Fi speeds than their previous off the shelf routers , dropping from 300mbps to 180mbps for example they where not even trying to get gigabit throughput.

Yeah that was a little underhand remark I made however MikroTik have kind of made a rod for their own back with this though. A lot of their Wave2 AC kit simply doesn't work as it should because they use an old kernel and are writing what they can custom to make the stuff work. This means the "new" features that Wave2 brings simply won't be implemented (or at least for a long time). Every feature they cannot make work gets tagged as being in "v7" which as of yet has an unknown ETA which it has had for at least 5 years.
Link

I'm (usually) a really big advocate of MT hardware but their 5Ghz wireless kit whether built into routers or even outddor PtP/PtMP is behind the curve. They seem a bit lost at the moment with product development.

Ice Tea · 29 Jul 2019 at 12:55

Still one hell of a piece of kit though for the price considering you can pay twice that for a dual core with the same CPU speed and less ram.

Not sure what hardcore RouterOS users will make of this but OpenWRT has listed it on Github as work in progress.

Steveocee · 29 Jul 2019 at 13:47

Ice Tea said:
Still one hell of a piece of kit though for the price considering you can pay twice that for a dual core with the same CPU speed and less ram.
Not sure what hardcore RouterOS users will make of this but OpenWRT has listed it on Github as work in progress.

Yeah for sure. Hell of a price for such a capable piece of hardware.
OpenWRT will probably appease some of the niggles but I doubt it will surpass RouterOS functionality, if it does then MT may as well just fold the company now.

Ice Tea · 29 Jul 2019 at 14:10

Are there any issues with Mikrotik routers and the embedded license when selling?